csaf_certbund - wid-sec-w-2025-0898

WID-SEC-W-2025-0898

Vulnerability from csaf_certbund - Published: 2025-04-28 22:00 - Updated: 2025-04-28 22:00

Summary

xwiki: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

XWiki ist eine Open-Source-Wiki-Software-Plattform, für die Erstellung und Verwaltung von Wikis und Knowledge-Management-Systemen

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in xwiki ausnutzen, um falsche Informationen darzustellen, einen Denial-of-Service auszulösen, Benutzerrechte zu erlangen oder Cross-Site-Scripting durchzuführen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "XWiki ist eine Open-Source-Wiki-Software-Plattform, f\u00fcr die Erstellung und Verwaltung von Wikis und Knowledge-Management-Systemen",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in xwiki ausnutzen, um falsche Informationen darzustellen, einen Denial-of-Service auszul\u00f6sen, Benutzerrechte zu erlangen oder Cross-Site-Scripting durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0898 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0898.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0898 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0898"
      },
      {
        "category": "external",
        "summary": "xwiki GitHub vom 2025-04-28",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pjhg-9wr9-rj96"
      },
      {
        "category": "external",
        "summary": "xwiki GitHub vom 2025-04-28",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-987p-r3jc-8c8v"
      },
      {
        "category": "external",
        "summary": "xwiki GitHub vom 2025-04-28",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87"
      },
      {
        "category": "external",
        "summary": "xwiki GitHub vom 2025-04-28",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x7wv-5qg4-vmr6"
      },
      {
        "category": "external",
        "summary": "xwiki GitHub vom 2025-04-28",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r"
      }
    ],
    "source_lang": "en-US",
    "title": "xwiki: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-04-28T22:00:00.000+00:00",
      "generator": {
        "date": "2025-04-29T11:16:31.102+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0898",
      "initial_release_date": "2025-04-28T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-04-28T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c15.10.13",
                "product": {
                  "name": "Open Source xwiki \u003c15.10.13",
                  "product_id": "T043197"
                }
              },
              {
                "category": "product_version",
                "name": "15.10.13",
                "product": {
                  "name": "Open Source xwiki 15.10.13",
                  "product_id": "T043197-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:15.10.13"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.4.4",
                "product": {
                  "name": "Open Source xwiki \u003c16.4.4",
                  "product_id": "T043198"
                }
              },
              {
                "category": "product_version",
                "name": "16.4.4",
                "product": {
                  "name": "Open Source xwiki 16.4.4",
                  "product_id": "T043198-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.4.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.8.0",
                "product": {
                  "name": "Open Source xwiki \u003c16.8.0",
                  "product_id": "T043199"
                }
              },
              {
                "category": "product_version",
                "name": "16.8.0",
                "product": {
                  "name": "Open Source xwiki 16.8.0",
                  "product_id": "T043199-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.8.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.8.0-rc-1",
                "product": {
                  "name": "Open Source xwiki \u003c16.8.0-rc-1",
                  "product_id": "T043200"
                }
              },
              {
                "category": "product_version",
                "name": "16.8.0-rc-1",
                "product": {
                  "name": "Open Source xwiki 16.8.0-rc-1",
                  "product_id": "T043200-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.8.0-rc-1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.10.12",
                "product": {
                  "name": "Open Source xwiki \u003c15.10.12",
                  "product_id": "T043201"
                }
              },
              {
                "category": "product_version",
                "name": "15.10.12",
                "product": {
                  "name": "Open Source xwiki 15.10.12",
                  "product_id": "T043201-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:15.10.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.4.3",
                "product": {
                  "name": "Open Source xwiki \u003c16.4.3",
                  "product_id": "T043202"
                }
              },
              {
                "category": "product_version",
                "name": "16.4.3",
                "product": {
                  "name": "Open Source xwiki 16.4.3",
                  "product_id": "T043202-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.4.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.10.8",
                "product": {
                  "name": "Open Source xwiki \u003c15.10.8",
                  "product_id": "T043203"
                }
              },
              {
                "category": "product_version",
                "name": "15.10.8",
                "product": {
                  "name": "Open Source xwiki 15.10.8",
                  "product_id": "T043203-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:15.10.8"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.2.0",
                "product": {
                  "name": "Open Source xwiki \u003c16.2.0",
                  "product_id": "T043204"
                }
              },
              {
                "category": "product_version",
                "name": "16.2.0",
                "product": {
                  "name": "Open Source xwiki 16.2.0",
                  "product_id": "T043204-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.2.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "xwiki"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-32970",
      "product_status": {
        "known_affected": [
          "T043197",
          "T043198",
          "T043199"
        ]
      },
      "release_date": "2025-04-28T22:00:00.000+00:00",
      "title": "CVE-2025-32970"
    },
    {
      "cve": "CVE-2025-32971",
      "product_status": {
        "known_affected": [
          "T043197",
          "T043198",
          "T043200"
        ]
      },
      "release_date": "2025-04-28T22:00:00.000+00:00",
      "title": "CVE-2025-32971"
    },
    {
      "cve": "CVE-2025-32972",
      "product_status": {
        "known_affected": [
          "T043201",
          "T043202",
          "T043200"
        ]
      },
      "release_date": "2025-04-28T22:00:00.000+00:00",
      "title": "CVE-2025-32972"
    },
    {
      "cve": "CVE-2025-32973",
      "product_status": {
        "known_affected": [
          "T043201",
          "T043202",
          "T043200"
        ]
      },
      "release_date": "2025-04-28T22:00:00.000+00:00",
      "title": "CVE-2025-32973"
    },
    {
      "cve": "CVE-2025-32974",
      "product_status": {
        "known_affected": [
          "T043203",
          "T043204"
        ]
      },
      "release_date": "2025-04-28T22:00:00.000+00:00",
      "title": "CVE-2025-32974"
    }
  ]
}

CVE-2025-32972 (GCVE-0-2025-32972)

Vulnerability from cvelistv5 – Published: 2025-04-30 14:54 – Updated: 2025-04-30 15:17

Title

The lesscss script service allows cache clearing without programming right

Summary

XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Severity ?

2.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/91…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22462	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 6.1-milestone-1, < 15.10.12 Affected: >= 16.0.0-rc-1, < 16.4.3 Affected: >= 16.5.0-rc-1, < 16.8.0-rc-1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32972",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T15:17:27.713068Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T15:17:31.398Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-22462"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.1-milestone-1, \u003c 15.10.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.8.0-rc-1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T14:54:58.945Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22462",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22462"
        }
      ],
      "source": {
        "advisory": "GHSA-rp38-24m3-rx87",
        "discovery": "UNKNOWN"
      },
      "title": "The lesscss script service allows cache clearing without programming right"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32972",
    "datePublished": "2025-04-30T14:54:58.945Z",
    "dateReserved": "2025-04-14T21:47:11.455Z",
    "dateUpdated": "2025-04-30T15:17:31.398Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32971 (GCVE-0-2025-32971)

Vulnerability from cvelistv5 – Published: 2025-04-30 14:54 – Updated: 2025-04-30 15:18

Title

XWiki Solr script service doesn't take dropped programming right into account

Summary

XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling `$xcontext.dropPermissions()`. If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script rights to either cause a high load by indexing documents or to temporarily remove documents from the search index. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0-rc-1.

Severity ?

3.8 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/65…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22474	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 4.5.1, < 15.10.13 Affected: >= 16.0.0-rc-1, < 16.4.4 Affected: >= 16.5.0-rc-1, < 16.8.0-rc-1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32971",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T15:18:24.466320Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T15:18:28.533Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-987p-r3jc-8c8v"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-22474"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.5.1, \u003c 15.10.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.8.0-rc-1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn\u0027t take dropped programming rights into account. The Solr script service that is accessible in XWiki\u0027s scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesn\u0027t take the fact into account that programming rights might have been dropped by calling `$xcontext.dropPermissions()`. If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script rights to either cause a high load by indexing documents or to temporarily remove documents from the search index. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0-rc-1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T14:54:55.124Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-987p-r3jc-8c8v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-987p-r3jc-8c8v"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/6570f40f976aec82baf388b5239d1412cab238c9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/6570f40f976aec82baf388b5239d1412cab238c9"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22474",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22474"
        }
      ],
      "source": {
        "advisory": "GHSA-987p-r3jc-8c8v",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki Solr script service doesn\u0027t take dropped programming right into account"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32971",
    "datePublished": "2025-04-30T14:54:55.124Z",
    "dateReserved": "2025-04-14T21:47:11.455Z",
    "dateUpdated": "2025-04-30T15:18:28.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32973 (GCVE-0-2025-32973)

Vulnerability from cvelistv5 – Published: 2025-04-30 14:55 – Updated: 2025-04-30 15:15

Title

org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right

Summary

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/1a…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22460	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 15.9-rc-1, < 15.10.12 Affected: >= 16.0.0-rc-1, < 16.4.3 Affected: >= 16.5.0-rc-1, < 16.8.0-rc-1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32973",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T15:14:58.263524Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T15:15:04.046Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-22460"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.9-rc-1, \u003c 15.10.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.8.0-rc-1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T14:55:04.478Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x7wv-5qg4-vmr6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x7wv-5qg4-vmr6"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/1a6f1b2e050770331c9a63d12a3fd8a36d199f62",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/1a6f1b2e050770331c9a63d12a3fd8a36d199f62"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22460",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22460"
        }
      ],
      "source": {
        "advisory": "GHSA-x7wv-5qg4-vmr6",
        "discovery": "UNKNOWN"
      },
      "title": "org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32973",
    "datePublished": "2025-04-30T14:55:04.478Z",
    "dateReserved": "2025-04-14T21:47:11.455Z",
    "dateUpdated": "2025-04-30T15:15:04.046Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32970 (GCVE-0-2025-32970)

Vulnerability from cvelistv5 – Published: 2025-04-30 14:54 – Updated: 2025-04-30 15:19

Title

org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability

Summary

XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/6d…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22487	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 13.5-rc-1, < 15.10.13 Affected: >= 16.0.0-rc-1, < 16.4.4 Affected: >= 16.5.0-rc-1, < 16.8.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32970",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T15:19:08.694162Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T15:19:11.652Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-22487"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 13.5-rc-1, \u003c 15.10.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.8.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T14:54:52.008Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pjhg-9wr9-rj96",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pjhg-9wr9-rj96"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/6dab7909f45deb00efd36a0cd47788e95ad64802",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/6dab7909f45deb00efd36a0cd47788e95ad64802"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22487",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22487"
        }
      ],
      "source": {
        "advisory": "GHSA-pjhg-9wr9-rj96",
        "discovery": "UNKNOWN"
      },
      "title": "org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32970",
    "datePublished": "2025-04-30T14:54:52.008Z",
    "dateReserved": "2025-04-14T21:47:11.455Z",
    "dateUpdated": "2025-04-30T15:19:11.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32974 (GCVE-0-2025-32974)

Vulnerability from cvelistv5 – Published: 2025-04-30 14:55 – Updated: 2025-04-30 15:15

Title

org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type

Summary

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-116 - Improper Encoding or Escaping of Output
CWE-269 - Improper Privilege Management

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/15…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22002	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 15.9-rc-1, < 15.10.8 Affected: >= 16.0.0-rc-1, < 16.2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32974",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-30T15:15:48.847625Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-30T15:15:51.720Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-22002"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.9-rc-1, \u003c 15.10.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn\u0027t consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn\u0027t consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116: Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T14:55:01.470Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fc"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22002",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22002"
        }
      ],
      "source": {
        "advisory": "GHSA-mvgm-3rw2-7j4r",
        "discovery": "UNKNOWN"
      },
      "title": "org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn\u0027t consider TextAreas with default content type"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32974",
    "datePublished": "2025-04-30T14:55:01.470Z",
    "dateReserved": "2025-04-14T21:47:11.455Z",
    "dateUpdated": "2025-04-30T15:15:51.720Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-0898

CVE-2025-32972 (GCVE-0-2025-32972)

CVE-2025-32971 (GCVE-0-2025-32971)

CVE-2025-32973 (GCVE-0-2025-32973)

CVE-2025-32970 (GCVE-0-2025-32970)

CVE-2025-32974 (GCVE-0-2025-32974)

Tags

Sightings

Nomenclature